pulumi-gcp 8.8.0a1730615974__py3-none-any.whl → 8.8.0a1730856812__py3-none-any.whl

pulumi_gcp/iap/_inputs.py

@@ -23,6 +23,30 @@ __all__ = [
     'AppEngineVersionIamBindingConditionArgsDict',
     'AppEngineVersionIamMemberConditionArgs',
     'AppEngineVersionIamMemberConditionArgsDict',
+    'SettingsAccessSettingsArgs',
+    'SettingsAccessSettingsArgsDict',
+    'SettingsAccessSettingsAllowedDomainsSettingsArgs',
+    'SettingsAccessSettingsAllowedDomainsSettingsArgsDict',
+    'SettingsAccessSettingsCorsSettingsArgs',
+    'SettingsAccessSettingsCorsSettingsArgsDict',
+    'SettingsAccessSettingsGcipSettingsArgs',
+    'SettingsAccessSettingsGcipSettingsArgsDict',
+    'SettingsAccessSettingsOauthSettingsArgs',
+    'SettingsAccessSettingsOauthSettingsArgsDict',
+    'SettingsAccessSettingsReauthSettingsArgs',
+    'SettingsAccessSettingsReauthSettingsArgsDict',
+    'SettingsAccessSettingsWorkforceIdentitySettingsArgs',
+    'SettingsAccessSettingsWorkforceIdentitySettingsArgsDict',
+    'SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args',
+    'SettingsAccessSettingsWorkforceIdentitySettingsOauth2ArgsDict',
+    'SettingsApplicationSettingsArgs',
+    'SettingsApplicationSettingsArgsDict',
+    'SettingsApplicationSettingsAccessDeniedPageSettingsArgs',
+    'SettingsApplicationSettingsAccessDeniedPageSettingsArgsDict',
+    'SettingsApplicationSettingsAttributePropagationSettingsArgs',
+    'SettingsApplicationSettingsAttributePropagationSettingsArgsDict',
+    'SettingsApplicationSettingsCsmSettingsArgs',
+    'SettingsApplicationSettingsCsmSettingsArgsDict',
     'TunnelDestGroupIamBindingConditionArgs',
     'TunnelDestGroupIamBindingConditionArgsDict',
     'TunnelDestGroupIamMemberConditionArgs',
@@ -387,6 +411,984 @@ class AppEngineVersionIamMemberConditionArgs:
         pulumi.set(self, "description", value)
 
 
+if not MYPY:
+    class SettingsAccessSettingsArgsDict(TypedDict):
+        allowed_domains_settings: NotRequired[pulumi.Input['SettingsAccessSettingsAllowedDomainsSettingsArgsDict']]
+        """
+        Settings to configure and enable allowed domains.
+        Structure is documented below.
+        """
+        cors_settings: NotRequired[pulumi.Input['SettingsAccessSettingsCorsSettingsArgsDict']]
+        """
+        Configuration to allow cross-origin requests via IAP.
+        Structure is documented below.
+        """
+        gcip_settings: NotRequired[pulumi.Input['SettingsAccessSettingsGcipSettingsArgsDict']]
+        """
+        GCIP claims and endpoint configurations for 3p identity providers.
+        Structure is documented below.
+        """
+        identity_sources: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        Identity sources that IAP can use to authenticate the end user. Only one identity source
+        can be configured. The possible values are:
+        * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce
+        Identity Federation.
+        Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`.
+        """
+        oauth_settings: NotRequired[pulumi.Input['SettingsAccessSettingsOauthSettingsArgsDict']]
+        """
+        Settings to configure IAP's OAuth behavior.
+        Structure is documented below.
+        """
+        reauth_settings: NotRequired[pulumi.Input['SettingsAccessSettingsReauthSettingsArgsDict']]
+        """
+        Settings to configure reauthentication policies in IAP.
+        Structure is documented below.
+        """
+        workforce_identity_settings: NotRequired[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsArgsDict']]
+        """
+        Settings to configure the workforce identity federation, including workforce pools
+        and OAuth 2.0 settings.
+        Structure is documented below.
+        """
+elif False:
+    SettingsAccessSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsArgs:
+    def __init__(__self__, *,
+                 allowed_domains_settings: Optional[pulumi.Input['SettingsAccessSettingsAllowedDomainsSettingsArgs']] = None,
+                 cors_settings: Optional[pulumi.Input['SettingsAccessSettingsCorsSettingsArgs']] = None,
+                 gcip_settings: Optional[pulumi.Input['SettingsAccessSettingsGcipSettingsArgs']] = None,
+                 identity_sources: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 oauth_settings: Optional[pulumi.Input['SettingsAccessSettingsOauthSettingsArgs']] = None,
+                 reauth_settings: Optional[pulumi.Input['SettingsAccessSettingsReauthSettingsArgs']] = None,
+                 workforce_identity_settings: Optional[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsArgs']] = None):
+        """
+        :param pulumi.Input['SettingsAccessSettingsAllowedDomainsSettingsArgs'] allowed_domains_settings: Settings to configure and enable allowed domains.
+               Structure is documented below.
+        :param pulumi.Input['SettingsAccessSettingsCorsSettingsArgs'] cors_settings: Configuration to allow cross-origin requests via IAP.
+               Structure is documented below.
+        :param pulumi.Input['SettingsAccessSettingsGcipSettingsArgs'] gcip_settings: GCIP claims and endpoint configurations for 3p identity providers.
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] identity_sources: Identity sources that IAP can use to authenticate the end user. Only one identity source
+               can be configured. The possible values are:
+               * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce
+               Identity Federation.
+               Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`.
+        :param pulumi.Input['SettingsAccessSettingsOauthSettingsArgs'] oauth_settings: Settings to configure IAP's OAuth behavior.
+               Structure is documented below.
+        :param pulumi.Input['SettingsAccessSettingsReauthSettingsArgs'] reauth_settings: Settings to configure reauthentication policies in IAP.
+               Structure is documented below.
+        :param pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsArgs'] workforce_identity_settings: Settings to configure the workforce identity federation, including workforce pools
+               and OAuth 2.0 settings.
+               Structure is documented below.
+        """
+        if allowed_domains_settings is not None:
+            pulumi.set(__self__, "allowed_domains_settings", allowed_domains_settings)
+        if cors_settings is not None:
+            pulumi.set(__self__, "cors_settings", cors_settings)
+        if gcip_settings is not None:
+            pulumi.set(__self__, "gcip_settings", gcip_settings)
+        if identity_sources is not None:
+            pulumi.set(__self__, "identity_sources", identity_sources)
+        if oauth_settings is not None:
+            pulumi.set(__self__, "oauth_settings", oauth_settings)
+        if reauth_settings is not None:
+            pulumi.set(__self__, "reauth_settings", reauth_settings)
+        if workforce_identity_settings is not None:
+            pulumi.set(__self__, "workforce_identity_settings", workforce_identity_settings)
+
+    @property
+    @pulumi.getter(name="allowedDomainsSettings")
+    def allowed_domains_settings(self) -> Optional[pulumi.Input['SettingsAccessSettingsAllowedDomainsSettingsArgs']]:
+        """
+        Settings to configure and enable allowed domains.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "allowed_domains_settings")
+
+    @allowed_domains_settings.setter
+    def allowed_domains_settings(self, value: Optional[pulumi.Input['SettingsAccessSettingsAllowedDomainsSettingsArgs']]):
+        pulumi.set(self, "allowed_domains_settings", value)
+
+    @property
+    @pulumi.getter(name="corsSettings")
+    def cors_settings(self) -> Optional[pulumi.Input['SettingsAccessSettingsCorsSettingsArgs']]:
+        """
+        Configuration to allow cross-origin requests via IAP.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "cors_settings")
+
+    @cors_settings.setter
+    def cors_settings(self, value: Optional[pulumi.Input['SettingsAccessSettingsCorsSettingsArgs']]):
+        pulumi.set(self, "cors_settings", value)
+
+    @property
+    @pulumi.getter(name="gcipSettings")
+    def gcip_settings(self) -> Optional[pulumi.Input['SettingsAccessSettingsGcipSettingsArgs']]:
+        """
+        GCIP claims and endpoint configurations for 3p identity providers.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "gcip_settings")
+
+    @gcip_settings.setter
+    def gcip_settings(self, value: Optional[pulumi.Input['SettingsAccessSettingsGcipSettingsArgs']]):
+        pulumi.set(self, "gcip_settings", value)
+
+    @property
+    @pulumi.getter(name="identitySources")
+    def identity_sources(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        Identity sources that IAP can use to authenticate the end user. Only one identity source
+        can be configured. The possible values are:
+        * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce
+        Identity Federation.
+        Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`.
+        """
+        return pulumi.get(self, "identity_sources")
+
+    @identity_sources.setter
+    def identity_sources(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "identity_sources", value)
+
+    @property
+    @pulumi.getter(name="oauthSettings")
+    def oauth_settings(self) -> Optional[pulumi.Input['SettingsAccessSettingsOauthSettingsArgs']]:
+        """
+        Settings to configure IAP's OAuth behavior.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "oauth_settings")
+
+    @oauth_settings.setter
+    def oauth_settings(self, value: Optional[pulumi.Input['SettingsAccessSettingsOauthSettingsArgs']]):
+        pulumi.set(self, "oauth_settings", value)
+
+    @property
+    @pulumi.getter(name="reauthSettings")
+    def reauth_settings(self) -> Optional[pulumi.Input['SettingsAccessSettingsReauthSettingsArgs']]:
+        """
+        Settings to configure reauthentication policies in IAP.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "reauth_settings")
+
+    @reauth_settings.setter
+    def reauth_settings(self, value: Optional[pulumi.Input['SettingsAccessSettingsReauthSettingsArgs']]):
+        pulumi.set(self, "reauth_settings", value)
+
+    @property
+    @pulumi.getter(name="workforceIdentitySettings")
+    def workforce_identity_settings(self) -> Optional[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsArgs']]:
+        """
+        Settings to configure the workforce identity federation, including workforce pools
+        and OAuth 2.0 settings.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "workforce_identity_settings")
+
+    @workforce_identity_settings.setter
+    def workforce_identity_settings(self, value: Optional[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsArgs']]):
+        pulumi.set(self, "workforce_identity_settings", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsAllowedDomainsSettingsArgsDict(TypedDict):
+        domains: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        List of trusted domains.
+        """
+        enable: NotRequired[pulumi.Input[bool]]
+        """
+        Configuration for customers to opt in for the feature.
+        """
+elif False:
+    SettingsAccessSettingsAllowedDomainsSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsAllowedDomainsSettingsArgs:
+    def __init__(__self__, *,
+                 domains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 enable: Optional[pulumi.Input[bool]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] domains: List of trusted domains.
+        :param pulumi.Input[bool] enable: Configuration for customers to opt in for the feature.
+        """
+        if domains is not None:
+            pulumi.set(__self__, "domains", domains)
+        if enable is not None:
+            pulumi.set(__self__, "enable", enable)
+
+    @property
+    @pulumi.getter
+    def domains(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of trusted domains.
+        """
+        return pulumi.get(self, "domains")
+
+    @domains.setter
+    def domains(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "domains", value)
+
+    @property
+    @pulumi.getter
+    def enable(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Configuration for customers to opt in for the feature.
+        """
+        return pulumi.get(self, "enable")
+
+    @enable.setter
+    def enable(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "enable", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsCorsSettingsArgsDict(TypedDict):
+        allow_http_options: NotRequired[pulumi.Input[bool]]
+        """
+        Configuration to allow HTTP OPTIONS calls to skip authorization.
+        If undefined, IAP will not apply any special logic to OPTIONS requests.
+        """
+elif False:
+    SettingsAccessSettingsCorsSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsCorsSettingsArgs:
+    def __init__(__self__, *,
+                 allow_http_options: Optional[pulumi.Input[bool]] = None):
+        """
+        :param pulumi.Input[bool] allow_http_options: Configuration to allow HTTP OPTIONS calls to skip authorization.
+               If undefined, IAP will not apply any special logic to OPTIONS requests.
+        """
+        if allow_http_options is not None:
+            pulumi.set(__self__, "allow_http_options", allow_http_options)
+
+    @property
+    @pulumi.getter(name="allowHttpOptions")
+    def allow_http_options(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Configuration to allow HTTP OPTIONS calls to skip authorization.
+        If undefined, IAP will not apply any special logic to OPTIONS requests.
+        """
+        return pulumi.get(self, "allow_http_options")
+
+    @allow_http_options.setter
+    def allow_http_options(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_http_options", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsGcipSettingsArgsDict(TypedDict):
+        login_page_uri: NotRequired[pulumi.Input[str]]
+        """
+        Login page URI associated with the GCIP tenants. Typically, all resources within
+        the same project share the same login page, though it could be overridden at the
+        sub resource level.
+        """
+        tenant_ids: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string
+        beginning with a number character to indicate authenticating with GCIP tenant flow,
+        or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow
+        is used, tenantIds should only contain one single element, while for tenant flow,
+        tenantIds can contain multiple elements.
+        """
+elif False:
+    SettingsAccessSettingsGcipSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsGcipSettingsArgs:
+    def __init__(__self__, *,
+                 login_page_uri: Optional[pulumi.Input[str]] = None,
+                 tenant_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[str] login_page_uri: Login page URI associated with the GCIP tenants. Typically, all resources within
+               the same project share the same login page, though it could be overridden at the
+               sub resource level.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] tenant_ids: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string
+               beginning with a number character to indicate authenticating with GCIP tenant flow,
+               or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow
+               is used, tenantIds should only contain one single element, while for tenant flow,
+               tenantIds can contain multiple elements.
+        """
+        if login_page_uri is not None:
+            pulumi.set(__self__, "login_page_uri", login_page_uri)
+        if tenant_ids is not None:
+            pulumi.set(__self__, "tenant_ids", tenant_ids)
+
+    @property
+    @pulumi.getter(name="loginPageUri")
+    def login_page_uri(self) -> Optional[pulumi.Input[str]]:
+        """
+        Login page URI associated with the GCIP tenants. Typically, all resources within
+        the same project share the same login page, though it could be overridden at the
+        sub resource level.
+        """
+        return pulumi.get(self, "login_page_uri")
+
+    @login_page_uri.setter
+    def login_page_uri(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "login_page_uri", value)
+
+    @property
+    @pulumi.getter(name="tenantIds")
+    def tenant_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string
+        beginning with a number character to indicate authenticating with GCIP tenant flow,
+        or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow
+        is used, tenantIds should only contain one single element, while for tenant flow,
+        tenantIds can contain multiple elements.
+        """
+        return pulumi.get(self, "tenant_ids")
+
+    @tenant_ids.setter
+    def tenant_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "tenant_ids", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsOauthSettingsArgsDict(TypedDict):
+        login_hint: NotRequired[pulumi.Input[str]]
+        """
+        Domain hint to send as hd=? parameter in OAuth request flow.
+        Enables redirect to primary IDP by skipping Google's login screen.
+        (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
+        Note: IAP does not verify that the id token's hd claim matches this value
+        since access behavior is managed by IAM policies.
+        """
+        programmatic_clients: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        List of client ids allowed to use IAP programmatically.
+        """
+elif False:
+    SettingsAccessSettingsOauthSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsOauthSettingsArgs:
+    def __init__(__self__, *,
+                 login_hint: Optional[pulumi.Input[str]] = None,
+                 programmatic_clients: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[str] login_hint: Domain hint to send as hd=? parameter in OAuth request flow.
+               Enables redirect to primary IDP by skipping Google's login screen.
+               (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
+               Note: IAP does not verify that the id token's hd claim matches this value
+               since access behavior is managed by IAM policies.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] programmatic_clients: List of client ids allowed to use IAP programmatically.
+        """
+        if login_hint is not None:
+            pulumi.set(__self__, "login_hint", login_hint)
+        if programmatic_clients is not None:
+            pulumi.set(__self__, "programmatic_clients", programmatic_clients)
+
+    @property
+    @pulumi.getter(name="loginHint")
+    def login_hint(self) -> Optional[pulumi.Input[str]]:
+        """
+        Domain hint to send as hd=? parameter in OAuth request flow.
+        Enables redirect to primary IDP by skipping Google's login screen.
+        (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
+        Note: IAP does not verify that the id token's hd claim matches this value
+        since access behavior is managed by IAM policies.
+        """
+        return pulumi.get(self, "login_hint")
+
+    @login_hint.setter
+    def login_hint(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "login_hint", value)
+
+    @property
+    @pulumi.getter(name="programmaticClients")
+    def programmatic_clients(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of client ids allowed to use IAP programmatically.
+        """
+        return pulumi.get(self, "programmatic_clients")
+
+    @programmatic_clients.setter
+    def programmatic_clients(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "programmatic_clients", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsReauthSettingsArgsDict(TypedDict):
+        max_age: pulumi.Input[str]
+        """
+        Reauth session lifetime, how long before a user has to reauthenticate again.
+        A duration in seconds with up to nine fractional digits, ending with 's'.
+        Example: "3.5s".
+        """
+        method: pulumi.Input[str]
+        """
+        Reauth method requested. The possible values are:
+        * `LOGIN`: Prompts the user to log in again.
+        * `SECURE_KEY`: User must use their secure key 2nd factor device.
+        * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor.
+        Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`.
+        """
+        policy_type: pulumi.Input[str]
+        """
+        How IAP determines the effective policy in cases of hierarchical policies.
+        Policies are merged from higher in the hierarchy to lower in the hierarchy.
+        The possible values are:
+        * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy.
+        Effective policy may only be the same or stricter.
+        * `DEFAULT`: This policy acts as a default if no other reauth policy is set.
+        Possible values are: `MINIMUM`, `DEFAULT`.
+        """
+elif False:
+    SettingsAccessSettingsReauthSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsReauthSettingsArgs:
+    def __init__(__self__, *,
+                 max_age: pulumi.Input[str],
+                 method: pulumi.Input[str],
+                 policy_type: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] max_age: Reauth session lifetime, how long before a user has to reauthenticate again.
+               A duration in seconds with up to nine fractional digits, ending with 's'.
+               Example: "3.5s".
+        :param pulumi.Input[str] method: Reauth method requested. The possible values are:
+               * `LOGIN`: Prompts the user to log in again.
+               * `SECURE_KEY`: User must use their secure key 2nd factor device.
+               * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor.
+               Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`.
+        :param pulumi.Input[str] policy_type: How IAP determines the effective policy in cases of hierarchical policies.
+               Policies are merged from higher in the hierarchy to lower in the hierarchy.
+               The possible values are:
+               * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy.
+               Effective policy may only be the same or stricter.
+               * `DEFAULT`: This policy acts as a default if no other reauth policy is set.
+               Possible values are: `MINIMUM`, `DEFAULT`.
+        """
+        pulumi.set(__self__, "max_age", max_age)
+        pulumi.set(__self__, "method", method)
+        pulumi.set(__self__, "policy_type", policy_type)
+
+    @property
+    @pulumi.getter(name="maxAge")
+    def max_age(self) -> pulumi.Input[str]:
+        """
+        Reauth session lifetime, how long before a user has to reauthenticate again.
+        A duration in seconds with up to nine fractional digits, ending with 's'.
+        Example: "3.5s".
+        """
+        return pulumi.get(self, "max_age")
+
+    @max_age.setter
+    def max_age(self, value: pulumi.Input[str]):
+        pulumi.set(self, "max_age", value)
+
+    @property
+    @pulumi.getter
+    def method(self) -> pulumi.Input[str]:
+        """
+        Reauth method requested. The possible values are:
+        * `LOGIN`: Prompts the user to log in again.
+        * `SECURE_KEY`: User must use their secure key 2nd factor device.
+        * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor.
+        Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`.
+        """
+        return pulumi.get(self, "method")
+
+    @method.setter
+    def method(self, value: pulumi.Input[str]):
+        pulumi.set(self, "method", value)
+
+    @property
+    @pulumi.getter(name="policyType")
+    def policy_type(self) -> pulumi.Input[str]:
+        """
+        How IAP determines the effective policy in cases of hierarchical policies.
+        Policies are merged from higher in the hierarchy to lower in the hierarchy.
+        The possible values are:
+        * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy.
+        Effective policy may only be the same or stricter.
+        * `DEFAULT`: This policy acts as a default if no other reauth policy is set.
+        Possible values are: `MINIMUM`, `DEFAULT`.
+        """
+        return pulumi.get(self, "policy_type")
+
+    @policy_type.setter
+    def policy_type(self, value: pulumi.Input[str]):
+        pulumi.set(self, "policy_type", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsWorkforceIdentitySettingsArgsDict(TypedDict):
+        oauth2: NotRequired[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsOauth2ArgsDict']]
+        """
+        OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity
+        federation services.
+        Structure is documented below.
+
+
+        <a name="nested_oauth2"></a>The `oauth2` block supports:
+        """
+        workforce_pools: NotRequired[pulumi.Input[str]]
+        """
+        The workforce pool resources. Only one workforce pool is accepted.
+        """
+elif False:
+    SettingsAccessSettingsWorkforceIdentitySettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsWorkforceIdentitySettingsArgs:
+    def __init__(__self__, *,
+                 oauth2: Optional[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args']] = None,
+                 workforce_pools: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args'] oauth2: OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity
+               federation services.
+               Structure is documented below.
+               
+               
+               <a name="nested_oauth2"></a>The `oauth2` block supports:
+        :param pulumi.Input[str] workforce_pools: The workforce pool resources. Only one workforce pool is accepted.
+        """
+        if oauth2 is not None:
+            pulumi.set(__self__, "oauth2", oauth2)
+        if workforce_pools is not None:
+            pulumi.set(__self__, "workforce_pools", workforce_pools)
+
+    @property
+    @pulumi.getter
+    def oauth2(self) -> Optional[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args']]:
+        """
+        OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity
+        federation services.
+        Structure is documented below.
+
+
+        <a name="nested_oauth2"></a>The `oauth2` block supports:
+        """
+        return pulumi.get(self, "oauth2")
+
+    @oauth2.setter
+    def oauth2(self, value: Optional[pulumi.Input['SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args']]):
+        pulumi.set(self, "oauth2", value)
+
+    @property
+    @pulumi.getter(name="workforcePools")
+    def workforce_pools(self) -> Optional[pulumi.Input[str]]:
+        """
+        The workforce pool resources. Only one workforce pool is accepted.
+        """
+        return pulumi.get(self, "workforce_pools")
+
+    @workforce_pools.setter
+    def workforce_pools(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "workforce_pools", value)
+
+
+if not MYPY:
+    class SettingsAccessSettingsWorkforceIdentitySettingsOauth2ArgsDict(TypedDict):
+        client_id: NotRequired[pulumi.Input[str]]
+        """
+        The OAuth 2.0 client ID registered in the workforce identity
+        federation OAuth 2.0 Server.
+        """
+        client_secret: NotRequired[pulumi.Input[str]]
+        """
+        Input only. The OAuth 2.0 client secret created while registering
+        the client ID.
+        """
+        client_secret_sha256: NotRequired[pulumi.Input[str]]
+        """
+        Output only. SHA256 hash value for the client secret. This field
+        is returned by IAP when the settings are retrieved.
+        """
+elif False:
+    SettingsAccessSettingsWorkforceIdentitySettingsOauth2ArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args:
+    def __init__(__self__, *,
+                 client_id: Optional[pulumi.Input[str]] = None,
+                 client_secret: Optional[pulumi.Input[str]] = None,
+                 client_secret_sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] client_id: The OAuth 2.0 client ID registered in the workforce identity
+               federation OAuth 2.0 Server.
+        :param pulumi.Input[str] client_secret: Input only. The OAuth 2.0 client secret created while registering
+               the client ID.
+        :param pulumi.Input[str] client_secret_sha256: Output only. SHA256 hash value for the client secret. This field
+               is returned by IAP when the settings are retrieved.
+        """
+        if client_id is not None:
+            pulumi.set(__self__, "client_id", client_id)
+        if client_secret is not None:
+            pulumi.set(__self__, "client_secret", client_secret)
+        if client_secret_sha256 is not None:
+            pulumi.set(__self__, "client_secret_sha256", client_secret_sha256)
+
+    @property
+    @pulumi.getter(name="clientId")
+    def client_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        The OAuth 2.0 client ID registered in the workforce identity
+        federation OAuth 2.0 Server.
+        """
+        return pulumi.get(self, "client_id")
+
+    @client_id.setter
+    def client_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "client_id", value)
+
+    @property
+    @pulumi.getter(name="clientSecret")
+    def client_secret(self) -> Optional[pulumi.Input[str]]:
+        """
+        Input only. The OAuth 2.0 client secret created while registering
+        the client ID.
+        """
+        return pulumi.get(self, "client_secret")
+
+    @client_secret.setter
+    def client_secret(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "client_secret", value)
+
+    @property
+    @pulumi.getter(name="clientSecretSha256")
+    def client_secret_sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        Output only. SHA256 hash value for the client secret. This field
+        is returned by IAP when the settings are retrieved.
+        """
+        return pulumi.get(self, "client_secret_sha256")
+
+    @client_secret_sha256.setter
+    def client_secret_sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "client_secret_sha256", value)
+
+
+if not MYPY:
+    class SettingsApplicationSettingsArgsDict(TypedDict):
+        access_denied_page_settings: NotRequired[pulumi.Input['SettingsApplicationSettingsAccessDeniedPageSettingsArgsDict']]
+        """
+        Customization for Access Denied page. IAP allows customers to define a custom URI
+        to use as the error page when access is denied to users. If IAP prevents access
+        to this page, the default IAP error page will be displayed instead.
+        Structure is documented below.
+        """
+        attribute_propagation_settings: NotRequired[pulumi.Input['SettingsApplicationSettingsAttributePropagationSettingsArgsDict']]
+        """
+        Settings to configure attribute propagation.
+        Structure is documented below.
+        """
+        cookie_domain: NotRequired[pulumi.Input[str]]
+        """
+        The Domain value to set for cookies generated by IAP. This value is not validated by the API,
+        but will be ignored at runtime if invalid.
+        """
+        csm_settings: NotRequired[pulumi.Input['SettingsApplicationSettingsCsmSettingsArgsDict']]
+        """
+        Settings to configure IAP's behavior for a service mesh.
+        Structure is documented below.
+        """
+elif False:
+    SettingsApplicationSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsApplicationSettingsArgs:
+    def __init__(__self__, *,
+                 access_denied_page_settings: Optional[pulumi.Input['SettingsApplicationSettingsAccessDeniedPageSettingsArgs']] = None,
+                 attribute_propagation_settings: Optional[pulumi.Input['SettingsApplicationSettingsAttributePropagationSettingsArgs']] = None,
+                 cookie_domain: Optional[pulumi.Input[str]] = None,
+                 csm_settings: Optional[pulumi.Input['SettingsApplicationSettingsCsmSettingsArgs']] = None):
+        """
+        :param pulumi.Input['SettingsApplicationSettingsAccessDeniedPageSettingsArgs'] access_denied_page_settings: Customization for Access Denied page. IAP allows customers to define a custom URI
+               to use as the error page when access is denied to users. If IAP prevents access
+               to this page, the default IAP error page will be displayed instead.
+               Structure is documented below.
+        :param pulumi.Input['SettingsApplicationSettingsAttributePropagationSettingsArgs'] attribute_propagation_settings: Settings to configure attribute propagation.
+               Structure is documented below.
+        :param pulumi.Input[str] cookie_domain: The Domain value to set for cookies generated by IAP. This value is not validated by the API,
+               but will be ignored at runtime if invalid.
+        :param pulumi.Input['SettingsApplicationSettingsCsmSettingsArgs'] csm_settings: Settings to configure IAP's behavior for a service mesh.
+               Structure is documented below.
+        """
+        if access_denied_page_settings is not None:
+            pulumi.set(__self__, "access_denied_page_settings", access_denied_page_settings)
+        if attribute_propagation_settings is not None:
+            pulumi.set(__self__, "attribute_propagation_settings", attribute_propagation_settings)
+        if cookie_domain is not None:
+            pulumi.set(__self__, "cookie_domain", cookie_domain)
+        if csm_settings is not None:
+            pulumi.set(__self__, "csm_settings", csm_settings)
+
+    @property
+    @pulumi.getter(name="accessDeniedPageSettings")
+    def access_denied_page_settings(self) -> Optional[pulumi.Input['SettingsApplicationSettingsAccessDeniedPageSettingsArgs']]:
+        """
+        Customization for Access Denied page. IAP allows customers to define a custom URI
+        to use as the error page when access is denied to users. If IAP prevents access
+        to this page, the default IAP error page will be displayed instead.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "access_denied_page_settings")
+
+    @access_denied_page_settings.setter
+    def access_denied_page_settings(self, value: Optional[pulumi.Input['SettingsApplicationSettingsAccessDeniedPageSettingsArgs']]):
+        pulumi.set(self, "access_denied_page_settings", value)
+
+    @property
+    @pulumi.getter(name="attributePropagationSettings")
+    def attribute_propagation_settings(self) -> Optional[pulumi.Input['SettingsApplicationSettingsAttributePropagationSettingsArgs']]:
+        """
+        Settings to configure attribute propagation.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "attribute_propagation_settings")
+
+    @attribute_propagation_settings.setter
+    def attribute_propagation_settings(self, value: Optional[pulumi.Input['SettingsApplicationSettingsAttributePropagationSettingsArgs']]):
+        pulumi.set(self, "attribute_propagation_settings", value)
+
+    @property
+    @pulumi.getter(name="cookieDomain")
+    def cookie_domain(self) -> Optional[pulumi.Input[str]]:
+        """
+        The Domain value to set for cookies generated by IAP. This value is not validated by the API,
+        but will be ignored at runtime if invalid.
+        """
+        return pulumi.get(self, "cookie_domain")
+
+    @cookie_domain.setter
+    def cookie_domain(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "cookie_domain", value)
+
+    @property
+    @pulumi.getter(name="csmSettings")
+    def csm_settings(self) -> Optional[pulumi.Input['SettingsApplicationSettingsCsmSettingsArgs']]:
+        """
+        Settings to configure IAP's behavior for a service mesh.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "csm_settings")
+
+    @csm_settings.setter
+    def csm_settings(self, value: Optional[pulumi.Input['SettingsApplicationSettingsCsmSettingsArgs']]):
+        pulumi.set(self, "csm_settings", value)
+
+
+if not MYPY:
+    class SettingsApplicationSettingsAccessDeniedPageSettingsArgsDict(TypedDict):
+        access_denied_page_uri: NotRequired[pulumi.Input[str]]
+        """
+        The URI to be redirected to when access is denied.
+        """
+        generate_troubleshooting_uri: NotRequired[pulumi.Input[bool]]
+        """
+        Whether to generate a troubleshooting URL on access denied events to this application.
+        """
+        remediation_token_generation_enabled: NotRequired[pulumi.Input[bool]]
+        """
+        Whether to generate remediation token on access denied events to this application.
+        """
+elif False:
+    SettingsApplicationSettingsAccessDeniedPageSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsApplicationSettingsAccessDeniedPageSettingsArgs:
+    def __init__(__self__, *,
+                 access_denied_page_uri: Optional[pulumi.Input[str]] = None,
+                 generate_troubleshooting_uri: Optional[pulumi.Input[bool]] = None,
+                 remediation_token_generation_enabled: Optional[pulumi.Input[bool]] = None):
+        """
+        :param pulumi.Input[str] access_denied_page_uri: The URI to be redirected to when access is denied.
+        :param pulumi.Input[bool] generate_troubleshooting_uri: Whether to generate a troubleshooting URL on access denied events to this application.
+        :param pulumi.Input[bool] remediation_token_generation_enabled: Whether to generate remediation token on access denied events to this application.
+        """
+        if access_denied_page_uri is not None:
+            pulumi.set(__self__, "access_denied_page_uri", access_denied_page_uri)
+        if generate_troubleshooting_uri is not None:
+            pulumi.set(__self__, "generate_troubleshooting_uri", generate_troubleshooting_uri)
+        if remediation_token_generation_enabled is not None:
+            pulumi.set(__self__, "remediation_token_generation_enabled", remediation_token_generation_enabled)
+
+    @property
+    @pulumi.getter(name="accessDeniedPageUri")
+    def access_denied_page_uri(self) -> Optional[pulumi.Input[str]]:
+        """
+        The URI to be redirected to when access is denied.
+        """
+        return pulumi.get(self, "access_denied_page_uri")
+
+    @access_denied_page_uri.setter
+    def access_denied_page_uri(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "access_denied_page_uri", value)
+
+    @property
+    @pulumi.getter(name="generateTroubleshootingUri")
+    def generate_troubleshooting_uri(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Whether to generate a troubleshooting URL on access denied events to this application.
+        """
+        return pulumi.get(self, "generate_troubleshooting_uri")
+
+    @generate_troubleshooting_uri.setter
+    def generate_troubleshooting_uri(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "generate_troubleshooting_uri", value)
+
+    @property
+    @pulumi.getter(name="remediationTokenGenerationEnabled")
+    def remediation_token_generation_enabled(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Whether to generate remediation token on access denied events to this application.
+        """
+        return pulumi.get(self, "remediation_token_generation_enabled")
+
+    @remediation_token_generation_enabled.setter
+    def remediation_token_generation_enabled(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "remediation_token_generation_enabled", value)
+
+
+if not MYPY:
+    class SettingsApplicationSettingsAttributePropagationSettingsArgsDict(TypedDict):
+        enable: NotRequired[pulumi.Input[bool]]
+        """
+        Whether the provided attribute propagation settings should be evaluated on user requests.
+        If set to true, attributes returned from the expression will be propagated in the set output credentials.
+        """
+        expression: NotRequired[pulumi.Input[str]]
+        """
+        Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can
+        be selected. Expressions can select different attribute types from attributes:
+        attributes.saml_attributes, attributes.iap_attributes.
+        """
+        output_credentials: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        Which output credentials attributes selected by the CEL expression should be propagated in.
+        All attributes will be fully duplicated in each selected output credential.
+        Possible values are:
+        * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
+        * `JWT`: Propagate attributes in the JWT of the form:
+        "additional_claims": { "my_attribute": ["value1", "value2"] }
+        * `RCTOKEN`: Propagate attributes in the RCToken of the form: "
+        additional_claims": { "my_attribute": ["value1", "value2"] }
+        Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`.
+        """
+elif False:
+    SettingsApplicationSettingsAttributePropagationSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsApplicationSettingsAttributePropagationSettingsArgs:
+    def __init__(__self__, *,
+                 enable: Optional[pulumi.Input[bool]] = None,
+                 expression: Optional[pulumi.Input[str]] = None,
+                 output_credentials: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[bool] enable: Whether the provided attribute propagation settings should be evaluated on user requests.
+               If set to true, attributes returned from the expression will be propagated in the set output credentials.
+        :param pulumi.Input[str] expression: Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can
+               be selected. Expressions can select different attribute types from attributes:
+               attributes.saml_attributes, attributes.iap_attributes.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] output_credentials: Which output credentials attributes selected by the CEL expression should be propagated in.
+               All attributes will be fully duplicated in each selected output credential.
+               Possible values are:
+               * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
+               * `JWT`: Propagate attributes in the JWT of the form:
+               "additional_claims": { "my_attribute": ["value1", "value2"] }
+               * `RCTOKEN`: Propagate attributes in the RCToken of the form: "
+               additional_claims": { "my_attribute": ["value1", "value2"] }
+               Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`.
+        """
+        if enable is not None:
+            pulumi.set(__self__, "enable", enable)
+        if expression is not None:
+            pulumi.set(__self__, "expression", expression)
+        if output_credentials is not None:
+            pulumi.set(__self__, "output_credentials", output_credentials)
+
+    @property
+    @pulumi.getter
+    def enable(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Whether the provided attribute propagation settings should be evaluated on user requests.
+        If set to true, attributes returned from the expression will be propagated in the set output credentials.
+        """
+        return pulumi.get(self, "enable")
+
+    @enable.setter
+    def enable(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "enable", value)
+
+    @property
+    @pulumi.getter
+    def expression(self) -> Optional[pulumi.Input[str]]:
+        """
+        Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can
+        be selected. Expressions can select different attribute types from attributes:
+        attributes.saml_attributes, attributes.iap_attributes.
+        """
+        return pulumi.get(self, "expression")
+
+    @expression.setter
+    def expression(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "expression", value)
+
+    @property
+    @pulumi.getter(name="outputCredentials")
+    def output_credentials(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        Which output credentials attributes selected by the CEL expression should be propagated in.
+        All attributes will be fully duplicated in each selected output credential.
+        Possible values are:
+        * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
+        * `JWT`: Propagate attributes in the JWT of the form:
+        "additional_claims": { "my_attribute": ["value1", "value2"] }
+        * `RCTOKEN`: Propagate attributes in the RCToken of the form: "
+        additional_claims": { "my_attribute": ["value1", "value2"] }
+        Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`.
+        """
+        return pulumi.get(self, "output_credentials")
+
+    @output_credentials.setter
+    def output_credentials(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "output_credentials", value)
+
+
+if not MYPY:
+    class SettingsApplicationSettingsCsmSettingsArgsDict(TypedDict):
+        rctoken_aud: NotRequired[pulumi.Input[str]]
+        """
+        Audience claim set in the generated RCToken. This value is not validated by IAP.
+        """
+elif False:
+    SettingsApplicationSettingsCsmSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class SettingsApplicationSettingsCsmSettingsArgs:
+    def __init__(__self__, *,
+                 rctoken_aud: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] rctoken_aud: Audience claim set in the generated RCToken. This value is not validated by IAP.
+        """
+        if rctoken_aud is not None:
+            pulumi.set(__self__, "rctoken_aud", rctoken_aud)
+
+    @property
+    @pulumi.getter(name="rctokenAud")
+    def rctoken_aud(self) -> Optional[pulumi.Input[str]]:
+        """
+        Audience claim set in the generated RCToken. This value is not validated by IAP.
+        """
+        return pulumi.get(self, "rctoken_aud")
+
+    @rctoken_aud.setter
+    def rctoken_aud(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rctoken_aud", value)
+
+
 if not MYPY:
     class TunnelDestGroupIamBindingConditionArgsDict(TypedDict):
         expression: pulumi.Input[str]